[FQ] Encrypt Plex password #2
Comments
|
Even better (at least in my opinion) would be to not store the password at all. I've changed plexWatch/Web to only store the authentication token. If the token is ever invalidated it directs the users to the settings page to generate a new one. I don't want to be responsible for storing the password, and encrypting it is pointless as the decryption must be able to be performed by the same application... and thus just as easily accessible as the password. |
|
Indeed. There is actually no need to save the password. I'll work that into the next commit. Thanks. |
|
Latest commit now only stores your token (d2c65e6) You can enter it manually or use the new javascript auth tool which talks directly with plex.tv. |
|
That's even better than sending it back to the server at all, I might have to move plexWatch/Web to that model 😛. |
|
It made the most sense to do it this way. Otherwise you you're adding another layer to slow things down as well as the issue of sending the credentials over an insecure connection if the user hasn't enabled SSL on the installation. |
|
Yep, exactly. Also this way you are using the browser to handle the HTTPS, which is going to be one of the most up to date things out there for support of that. Python probably does this better but in PHP land quite often you are stuck with very old OpenSSL libraries unless the user has done some customization. |
After doing some configuration in the webinterface I saw that the password(s) get's saved unencrypted in the config.ini file. So I would wish me that the passwords gets encrypted in the future :)
The text was updated successfully, but these errors were encountered: